Patch Tuesday Closes 29 Vulnerabilities in IE and Windows

Microsoft fixed 29 vulnerabilities in Internet Explorer and supported versions of Windows as part of July Patch Tuesday. The lion’s share of the vulnerabilities fixed this round were in Internet Explorer.

Of the six security bulletins released, only two of them—for Internet Explorer and Windows Journal—are rated as critical, according to Microsoft’s Patch Tuesday advisory. Three are rated as important, and the final bulletin has only a moderate rating. Both the IE and Windows Journal bulletins address remote code execution flaws. The important bulletins fixed elevation of privilege flaws in the on-screen keyboard, ancillary function driver, and DirectShow, and the moderate bulletin fixed a denial-of-service bug in the Microsoft service bus.

Microsoft said it had not observed any attacks in the wild targeting any of these flaws.

IE Oh My
Microsoft fixed 24 flaws in Internet Explorer (MS14-037), one publicly disclosed bug and 23 privately reported ones. This is after Microsoft patched 59 vulnerabilities in Internet Explorer last month. The issues are critical for Internet Explorer 6 to Internet Explorer 11 on Windows machines, but just moderate on Windows servers.

Attackers can exploit the IE bugs by tricking users into visiting a specially crafted malicious site. Once the attack succeeds, the attacker would have the same user rights as the compromised user. Users with fewer rights—not logged in as Administrator, for example—would be less impacted.

“It remains to be seen if Microsoft has cleaned up the Internet Explorer vulnerability closet for the next few months or if this is the new normal,” said Marc Maiffret, CTO of BeyondTrust.

Obscure Windows Software
The issue with Windows Journal (MS14-038) could allow attackers to remotely execute malicious code. Windows Journal is installed by default on all supported versions of Windows, from Vista to 8.1, but isn’t commonly used. Windows Journal can be used on touch-enabled devices as well as non-touch Windows computers to capture handwritten notes. The vulnerability was in how Windows opened files saved in the Windows Journal (.jnt) format.

The Windows Journal bug is a “great example of how unused software can be abused by attackers,” stated Craig Young, a security researcher at Tripwire.

Windows Journal is not installed on Windows Server versions.

Maiffret recommending treating the file extension as if it was an executable and block it on the Web and email gateways.

If there is a reason why the two critical patches can’t be installed immediately, uninstalling Windows Journal and switching to a different Web browser are sufficient workarounds. “While a patch is always preferred, limiting the attack surface is a good backup,” said Tyler Ranguly, manager of security research for Tripwire.

Remaining Patches
The bulletins rated important fixed bugs uncovered during the pwn2own contest back in March. The local elevation of privilege issues can be exploited to give unprivileged users greater access to the vulnerable system. They can be used in chained attacks to compromise the system, suggested Ross Barrett, senior manager of security engineering at Rapid7. “Given the nature of their disclosure,

[they] must be known to have exploit code,” Barrett warned.

The ancillary function driver bug can be paired with “something like the Internet Explorer vulnerabilities from this month to allow for drive-by web attacks that result in execution of code in the kernel,” Maiffret said.